cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
10
Helpful
6
Replies

Access VPN on Router, connection working but no trafic flow

AZaburdyayev
Level 1
Level 1

Hello!

I have configured VPN on Cisco 2811. Currently user can connect to router, VPN tunnel is established, but there is no dataflow. I get my external Ip from ISP using p2p network 10.10.1.4/30. If I try to ping router it I see answer on ping( debug ip icmp) but client dont get it. I think i forget something but cant find what, pls help.

Here config:

!

aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local

!

interface Loopback3
ip address <extIP>  255.255.255.252
crypto map cm_VPN

!

interface FastEthernet0/0
description if_Lan
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

interface FastEthernet0/0.678
description P2P
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly
!

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 89.218.95.194
pool pl_RmACC
acl 100
netmask 255.255.255.240
crypto isakmp profile AccVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address respond
!
!
crypto ipsec transform-set ts_VPN esp-aes esp-sha-hmac comp-lzs
!
!
crypto dynamic-map dm_AccVPN 10
set transform-set ts_VPN
set isakmp-profile AccVPN
match address 100
!
!
crypto map cm_VPN client authentication list vpn_xauth
crypto map cm_VPN isakmp authorization list vpn_grp
crypto map cm_VPN client configuration address respond
crypto map cm_VPN 65535 ipsec-isakmp dynamic dm_AccVPN
!

access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
!

!
ip local pool pl_RmACC 192.168.7.2 192.168.7.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 0.0.0.0 0.0.0.0 Null0 250

6 Replies 6

Hi,

To which IP the VPN clients connect to?

What is the status of the following commands:

sh cry isa sa

sh cry ips sa

Federico.

VPN traffic is landed on loopback interfase. It creates connection. I tryed to use route-map to forward traffic in correct way. Current I have applied "crypto map cm_VPN local-address Loopback3" and applied crypto map on outside interface f0/0.678.

sh cry isa sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
   95.59.145.228   QM_IDLE           1041 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1040 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1039 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1038 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1037 ACTIVE AccVPN
   192.168.6.107   QM_IDLE           1036 ACTIVE AccVPN

sh cry ips sa - is clear

In debug is following

May 12 06:18:14.886: map_db_find_best did not find matching map
May 12 06:18:14.886: IPSEC(ipsec_process_proposal): proxy identities not supported
May 12 06:18:14.886: ISAKMP:(1039): IPSec policy invalidated proposal with error 32
May 12 06:18:14.886: ISAKMP:(1039):Checking IPSec proposal 14
May 12 06:18:14.886: ISAKMP: transform 1, ESP_DES
May 12 06:18:14.886: ISAKMP:   attributes in transform:
May 12 06:18:14.886: ISAKMP:      authenticator is HMAC-MD5
May 12 06:18:14.886: ISAKMP:      encaps is 61443 (Tunnel-UDP)
May 12 06:18:14.938: ISAKMP:(1039):peer does not do paranoid keepalives.
May 12 06:18:14.938: ISAKMP:(1039):deleting node 301499132 error FALSE reason "Informational (in) state 1"
May 12 06:18:14.938: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 12 06:18:14.938: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 QM_IDLE       51906388 ...
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 51906388 QM_IDLE
May 12 06:18:21.286: ISAKMP:(1038): sending packet to 95.59.145.228 my_port 4500 peer_port 53237 (R) QM_IDLE


Ok, it works now. Actually I dont understand everything but.
Added to
crypto isakmp profile AccVPN
+ client configuration group VPN
Crypte dynamic-map dm_AccVPN 10
- match address 100

AZaburdyayev
Level 1
Level 1

But this is not issue, main problem was int routing!

I have added route map on outside interface, it redirects traffic to loopback! Here it is.

AZaburdyayev,

Do you got it working now?

Federico.

AZaburdyayev
Level 1
Level 1

Yes! It working!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: